Adding trusted realms to the cluster
How to specify trusted realms in Cloudera Manager.
The Kerberos instance associated with a given cluster has its REALM-NAME
specified as the
default_realm in the Kerberos configuration file
krb5.conf) on the cluster's NameNode. Rules defined in the
hadoop.security.auth_to_local property translate the Kerberos principals
to local account names at the host level (see Hadoop Users (user:group) and Kerberos Principals
and Mapping Kerberos Principals to Short Names). The default rules simply remove the
@REALM portion of the Kerberos principal and leave the short name.
To allow principals from other realms to use the cluster, the trusted realms must be specified in Cloudera Manager. For example, the Kerberos realm used by your cluster may have a trust relationship to a central Active Directory or MIT Kerberos realm. Add the central realm to the cluster as detailed in the following steps so that Cloudera Manager can apply the appropriate mapping rules to the principals from the trusted realm to access the cluster's services.
To specify trusted realms using Cloudera Manager:
- Log in to the Cloudera Manager Admin Console.
- Select .
- Click the Configuration tab.
- Select HDFS (Service-Wide) for the Scope filter.
- Select Security for the Category filter.
- In the Search field, type
Kerberos Realmsto find the Trusted Kerberos Realms and Additional Rules to Map Kerberos Principals to Short Names settings.
Add other Kerberos realms that the cluster's realm can trust. Use all upper-case
letters to specify the REALM name for MIT Kerberos or Active Directory realms:
To add multiple realms, click the plus (+) button.
- Click Save Changes.
For each trusted realm identified in Trusted Kerberos Realms, default
mapping rules automatically strip the REALM name. To customize the mapping rules, specify
additional rules in the Additional Rules to Map Kerberos Principals to Short
Names setting, one rule per line. Cloudera Manager will wrap each rule in the
appropriate XML tags and add to the generated
core-site.xml file. To create
custom rules and translate translate mixed-case Kerberos principals to lower-case Hadoop
usernames, see Mapping Rule
If you specify custom mapping rules for a Kerberos realm using the Additional Rules to Map Kerberos Principals to Short Names setting, ensure that the same realm is not specified in the Trusted Kerberos Realms setting. If it is, the auto-generated rule (which only strips the realm from the principal and does no additional transformations) takes precedent, and the custom rule is ignored.
- On the Cloudera Manager Admin Console, to choose cluster-wide actions.
- From the Actions drop-down button, select Deploy Client Configuration.